Attack Source Traceback

Part of the SpringerBriefs in Computer Science book series (BRIEFSCOMPUTER)


In this chapter, we investigate the attack source traceback in DDoS defence. We summarize the three major traceback methods to date: probabilistic packet marking, deterministic packet marking and network traffic based traceback methods. We formulate each traceback method, and present analysis for them, respectively.


Attack Tree Edge Router Entropy Variation Local Router Attack Flow 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Y. Xiang, W. Zhou, and M. Guo, “Flexible deterministic packet marking: An ip traceback system to find the real source of attacks,” IEEE Transactions on Parallel and Distributed Systems, vol. 20, no. 4, pp. 567–580, 2009.CrossRefGoogle Scholar
  2. 2.
    S. Savage, D. Wetherall, A. R. Karlin, and T. E. Anderson, “Practical network support for ip traceback,” in Proceedings of the SIGCOMM, 2000, pp. 295–306.Google Scholar
  3. 3.
    A. Belenky and N. Ansari, “Ip traceback with deterministic packet marking,” IEEE Communications Letters, vol. 7, no. 4, pp. 162–164, 2003.CrossRefGoogle Scholar
  4. 4.
    S. Yu, W. Zhou, R. Doss, and W. Jia, “Traceback of ddos attacks using entropy variations,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 3, pp. 412–425, 2011.CrossRefGoogle Scholar
  5. 5.
    M. T. Goodrich, “Probabilistic packet marking for large-scale ip traceback,” IEEE/ACM Transactions on Networking, vol. 16, no. 1, pp. 15–24, 2008.CrossRefGoogle Scholar
  6. 6.
    S. Savage, D. Wetherall, A. R. Karlin, and T. E. Anderson, “Network support for ip traceback,” IEEE/ACM Transactions on Networking, vol. 9, no. 3, pp. 226–237, 2001.CrossRefGoogle Scholar
  7. 7.
    T. K. T. Law, J. C. S. Lui, and D. K. Y. Yau, “You can run, but you can’t hide: An effective statistical methodology to trace back ddos attackers,” IEEE Transactions on Parallel and Distributed Systems, vol. 16, no. 9, pp. 799–813, 2005.CrossRefGoogle Scholar
  8. 8.
    A. Yaar, A. Perrig, and D. X. Song, “Fit: fast internet traceback,” in Proceedings of the INFOCOM, 2005, pp. 1395–1406.Google Scholar
  9. 9.
    A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, and W. T. Strayer, “Single-packet ip traceback,” IEEE/ACM Transactions on Networking, vol. 10, no. 6, pp. 721–734, 2002.CrossRefGoogle Scholar
  10. 10.
    B. Al-Duwairi and G. Manimaran, “Novel hybrid schemes employing packet marking and logging for ip traceback,” IEEE Transactions on Parallel and Distributed Systems, vol. 17, no. 5, pp. 403–418, 2006.CrossRefGoogle Scholar
  11. 11.
    A. Belenky and N. Ansari, “On deterministic packet marking,” Computer Networks, vol. 51, no. 10, pp. 2677–2700, 2007.CrossRefMATHGoogle Scholar
  12. 12.
    G. Jin and J. Yang, “Deterministic packet marking based on redundant decomposition for ip traceback,” IEEE Communications Letters, vol. 10, no. 3, pp. 204–206, 2006.CrossRefGoogle Scholar
  13. 13.
    S. Yu, W. Zhou, S. Guo, and M. Guo, “A dynamical deterministic packet marking scheme for ddos traceback,” in Proceedings of the IEEE Globecom, 2013.Google Scholar
  14. 14.
    V. L. L. Thing, M. Sloman, and N. Dulay, “A survey of bots used for distributed denial of service attacks,” in Proceedings of the SEC, 2007, pp. 229–240.Google Scholar
  15. 15.
    S. Yu, S. Guo, and I. Stojmenovic, “Can we beat legitimate cyber behavior mimicking attacks from botnets?” in Proceedings of the INFOCOM, 2012.Google Scholar
  16. 16.
    S. Yu, W. Zhou, W. Jia, S. Guo, Y. Xiang, and F. Tang, “Discriminating ddos attacks from flash crowds using flow correlation coefficient,” IEEE Transactions on Parallel Distributed Systems, vol. 23, no. 6, pp. 794–805, 2012.CrossRefGoogle Scholar
  17. 17.
    M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging,” in Proceedings of the first conference on Hot Topics in Understanding Botnets, 2007.Google Scholar
  18. 18.
    D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage, “Inferring internet denial-of-service activity,” ACM Transactions on Computer Systems, vol. 24, no. 2, pp. 115–139, 2006.CrossRefGoogle Scholar
  19. 19.
    Z. Chen and C. Ji, “An information-theoretic view of network-aware malware attacks,” IEEE Transactions on Information Forensics and Security, vol. 4, no. 3, pp. 530–541, 2009.CrossRefGoogle Scholar
  20. 20.
    R. L. Axtell, “Zipf distribution of u.s. firm sizes,” Science, vol. 293, 2001.Google Scholar
  21. 21.
    M. Mitzenmacher, “A brief history of generative models for power law and lognornal distributions,” Internet Mathematics, vol. 1, 2004.Google Scholar
  22. 22.
    Y. Chen and K. Hwang, “Collaborative detection and filtering of shrew ddos attacks using spectral analysis,” Journal of Parallel and Distributed Computing, vol. 66, no. 9, pp. 1137–1151, Sep. 2006.CrossRefMATHGoogle Scholar

Copyright information

© The Author(s) 2014

Authors and Affiliations

  • Shui Yu
    • 1
  1. 1.School of Information TheoryDeakin UniversityMelbourneAustralia

Personalised recommendations